Just a place to write

Main menu

Category Archives: Compliance

In 1996, the Health Insurance Portability and Accountability Act or the HIPAA was endorsed by the U.S. Congress. The HIPAA Privacy Rule, also called the Standards for Privacy of Individually Identifiable Health Information, provided the first nationally-recognizable regulations for the use/disclosure of an individual’s health information. Essentially, the Privacy Rule defines how covered entities use individually-identifiable health information or the PHI (Personal Health Information). ‘Covered entities’ is a term often used in HIPAA-compliant guidelines.

Security Risk Assessment Tool

The SRA Tool is a self-contained, operating system (OS) independent application that can be run on various environments including Windows OS’s for desktop and laptop computers and Apple’s iOS for iPad only.

The SRA Tool takes you through each HIPAA requirement by presenting a question about your organization’s activities. Your “yes” or “no” answer will show you if you need to take corrective action for that particular item. There are a total of 156 questions.

I have already worked with different customer frameworks, and the companies I worked, they also have their own.Everybody has one, and they all are more or less aligned with the standards: PMI, ITIL, Cobit, Togaf…

Every time I start with a new customer and I dig in the rules of the game (their framework), I ask some basic questions:

Does it cover management or it also includes technical and architecture sides of the work?

Has it templates? How good are these templates?

Do they describe standard processes?

Is there supporting tools for working in alignment with the framework? For instance, on management processes, a EPMO environment enables the people to track and report about the different subjects of the project.

And the last one: How mature is the utilization of the framework in the organization?

The answer to the last question is the more interesting to me, here is where you can see how committed is an organization in terms of governance and management of all the aspects of the IT activities in an organization.

Not all companies are committed and “married” with their frameworks, and the use demanded to the vendors is not always equal.

In an environment where different vendors are competing and you want to ensure the quality and coordination of the whole implementation of the IT activities, the exhaustive use of a framework is key to promote equal competition and avoid low quality.

This sounds basic, but I have seen this sequence so many times:

In short term they accept cheap proposals assuming lower levels of quality in terms of documentation. In the short term, there is not high impact

In medium term, when they want to offer new RFPs, they find the situation where the lack of documentation limits the number of providers to compete. The price increases and the quality decreases as in the next projects the lack of updated documentation extends all phases of the projects.

Finally, in the long term, you can see how the company decides that it is better to pay to the vendor who has the knowledge to update the documentation, being this process more expensive than the individual update every time you change something.

The industry of security on IT continues evolving and increasing the amount of activities. More new created needs due to a continuous growth of the security issues and the need to protect intellectual property.

So many markets are created through legislation that turn into more and more complex compliance activities.

During the work with the Logistics business unit, we are helping them to get the AEO certification. The obtention of this certification has a great value for their business: it allows them to access to some simplification during the custom process.

Member States can grant the AEO status to any economic operator meeting the following common criteria: customs compliance, appropriate record-keeping, financial solvency and, where relevant, security and safety standards.The status of authorised economic operator granted by one Member State is recognised by the other Member States. This does not automatically allow them to benefit from simplifications provided for in the customs rules in the other Member States. However, other Member States should grant the use of simplifications to authorised economic operators if they meet specific requirements.

Economic operators can apply for an AEO status either to have easier access to customs simplifications or to be in a more favourable position to comply with the new security requirements. Under the security framework, which has been applicable since 1 July 2009, economic operators have to submit pre-arrival and pre-departure information on goods entering or leaving the EU. The security type of AEO certificate and the combined one allow their holders to benefit from facilitations with regard to the new customs controls relating to security.